1. Computing
Michael Morin

Rails Vulnerabilties, Your Web Apps Are at Risk

By January 8, 2013

Follow me on:

According to the announcement, there are several vulnerabilities having to do with the Rails parameter parsing.  Parameter parsing allows you to pass XML data to Rails to be parsed automatically into various Ruby types.  This is a convenience feature, the client gives you XML and you magically get Ruby objects without having to manually parse them.  However, several bugs in this code allows an attacker to do all types of nasty things, including arbitrary code execution and SQL injection.

This is big, you should be patching your servers or disabling this feature ASAP.  There are detailed instructions in the vulnerability announcement on the mailing list.

Comments
No comments yet. Leave a Comment
Leave a Comment

Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>

©2014 About.com. All rights reserved.